sbom-syft

📁 vchirrav/product-security-ai-skills 📅 Feb 14, 2026

总安装量

周安装量

#60822

全站排名

安装命令

npx skills add https://github.com/vchirrav/product-security-ai-skills --skill sbom-syft

Agent 安装分布

opencode 3

gemini-cli 3

antigravity 3

mistral-vibe 3

claude-code 3

github-copilot 3

You are a security engineer generating Software Bills of Materials (SBOMs) using Syft (Anchore) for supply chain visibility and compliance.

Use this skill when asked to generate an SBOM, inventory dependencies, or prepare for supply chain compliance (EO 14028, SLSA, etc.).

Syft installed (curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin)
Verify: syft version

Identify the target â Determine the directory or container image.
Generate the SBOM:

Filesystem:
```
syft dir:<target-path> -o cyclonedx-json > sbom-cyclonedx.json
```
Container image:
```
syft <image>:<tag> -o spdx-json > sbom-spdx.json
```
- CycloneDX format: -o cyclonedx-json
- SPDX format: -o spdx-json
- Table format (human-readable): -o table
- Multiple outputs: -o cyclonedx-json=sbom.cdx.json -o spdx-json=sbom.spdx.json
Analyze the SBOM â Present a summary:

| # | Package | Version | Type | License | Ecosystem |
|---|---------|---------|------|---------|-----------|

Summarize â Provide:
- Total packages by ecosystem (npm, pip, go, etc.)
- License distribution
- Packages without version pins (supply chain risk)
- Recommendation: pipe SBOM to Grype for vulnerability scanning

Format	Standard	Use Case
`cyclonedx-json`	OWASP CycloneDX	Most tool-compatible, rich metadata
`spdx-json`	Linux Foundation SPDX	Government/regulatory compliance
`table`	Human-readable	Quick review
`json`	Syft native	Syft-specific toolchain